Intel Macs that use Apple’s T2 Security Chip are vulnerable to an exploit that could allow a hacker to circumvent disk encryption, firmware passwords and the whole T2 security verification chain, according to a cybersecurity researcher.
Apple’s custom-silicon T2 co-processor is present in newer Macs and handles encrypted storage and secure boot capabilities, as well as several other controller features. In a blog post, however, security researcher Niels Hofmans claims that because the chip is based on an A10 processor it’s vulnerable to the same checkm8 exploit that is used to jailbreak iOS devices.
This vulnerability is reportedly able to hijack the boot process of the T2’s SepOS operating system to gain access to the hardware. Normally the T2 chip exits with a fatal error if it is in Device Firmware Update (DFU) mode and it detects a decryption call, but by using another vulnerability developed by team Pangu, Hofmans
A serious security vulnerability in Grindr, the most popular dating app for gay, bi, trans, and queer people, has been discovered, which could have allowed anyone to infiltrate and take over a Grindr account simply by knowing the account holder’s email address.
As well as making it easy for bad actors to impersonate other people, the vulnerability would have given them easy access to potentially highly sensitive information, including the user’s HIV status, intimate pictures, dating history and sexual orientation.
In a blog post explaining how the vulnerability could be exploited, security researcher Troy Hunt described it as “one of the most basic account takeover techniques I’ve seen,” adding that “the ease of exploit is unbelievably low and the impact is obviously significant.”
He flagged the security flaw to Grindr after being tipped off by French security researcher Wassime Bouimadaghene, who had repeatedly tried to warn the company about it,
Before the season, the NFL boasted of a new contact-tracing technology that would keep players from getting too close together and that would make it easier to work backward to identify others who need to be tested and/or evaluated in the event a player tests positive. During the season, there’s an apparent problem with the so-called “Proximity Recording Device.”
As noted in the immediate aftermath of the news that Saints had learned late last night that fullback Michael Burton had tested positive for COVID-19, the contact-tracing process identified three people who required further testing, etc. The Saints identified on their own four others who were sitting close enough to Burton on the flight to Detroit that the Proximity Recording Device should have recorded their proximity to Burton. It should have, but it didn’t.
It’s important for the league to be willing to take a hard look at its protocols on
You would think a dating app that knows your sexuality and HIV status would take thorough precautions to keep that info protected, but Grindr has disappointed the world once again — this time, with a gobsmackingly egregious security vulnerability that could have let literally anyone who could guess your email address into your user account.
Luckily, French security researcher Wassime Bouimadaghene discovered the vulnerability, perhaps before it could be exploited, and it’s now been fixed.
Unluckily for Grindr, the company ignored his disclosures — until security researcher Troy Hunt (of Have I Been Pwned) and journalist Zack Whittaker (of TechCrunch) each confirmed the issue and wrote about it.
The details need to be seen to be believed (so please look at the image below) but the short version is this: if you put an email address into Grindr’s password reset form, it would send a message back to your
A Grindr vulnerability allowed anyone who knows a user’s email address to easily reset their password and hijack their account. All a bad actor needed to do was type in a user’s email address in the password reset page and then pop open the dev tools to get the reset token. By adding that token to the end of the password reset URL, they won’t even need to access the victim’s inbox — that’s the exact link sent to the user’s email anyway. It loads the page where they can input a new password, giving them a way to ultimately take over the victim’s account.
BERLIN, GERMANY – APRIL 22: The logo of the dating app for gay and bisexual men Grindr is shown on the display of a smartphone on April 22, 2020 in Berlin, Germany. (Photo by Thomas Trutschel/Photothek via Getty Images)
Grindr, one of the world’s largest dating and social networking apps for gay, bi, trans, and queer people, has fixed a security vulnerability that allowed anyone to hijack and take control of any user’s account using only their email address.
Wassime Bouimadaghene, a French security researcher, found the vulnerability and reported the issue to Grindr. When he didn’t hear back, Bouimadaghene shared details of the vulnerability with security expert Troy Hunt to help.
The vulnerability was fixed a short time later.
Hunt tested and confirmed the vulnerability with help from a test account set up by Scott Helme, and shared his findings with TechCrunch.
Bouimadaghene found the vulnerability in how the app handles account password resets.
To reset a password, Grindr sends the user an email with a clickable link containing an account password reset token. Once clicked, the user can change their password and is allowed back into